A long-running cyber-espionage campaign targeting high-value telecommunications infrastructure in South Asia has been attributed to a sophisticated threat actor tracked as UAT-7290.
The activity, disclosed by Cisco Talos in an advisory published today, has been ongoing since at least 2022 and focuses on gaining deep, persistent access to networks considered strategically significant.
The campaign centers on telecommunications providers, a sector that plays a critical role in national infrastructure.
According to the report, UAT-7290 conducts extensive technical reconnaissance before launching intrusions, carefully mapping environments to maximize the effectiveness of follow-on activity.
In recent months, the group has also expanded its targeting into Southeastern Europe.
Beyond espionage, the threat actor appears to have recently established Operational Relay Box (ORB) infrastructure, effectively converting compromised systems into relay nodes that can be leveraged by other China-nexus groups. This suggests UAT-7290 functions not only as an intelligence collection operation but also as an initial access facilitator.
Cisco Talos assessed with high confidence that UAT-7290 is linked to the China-nexus of advanced persistent threat (APT) actors.
The group primarily compromises public-facing edge devices, exploiting one-day vulnerabilities in widely deployed networking products and using target-specific SSH brute-force techniques.
Rather than developing bespoke exploits, the actor appears to rely on publicly available proof-of-concept (PoC) code.
Investigators observed notable overlaps with known China-linked operations. These include similarities with RedLeaves, associated with APT10, and ShadowPad, a malware family used across multiple Chinese threat groups.
Victimology and infrastructure also overlap with Red Foxtrot, a group previously linked to a People’s Liberation Army unit.
UAT-7290’s tooling is largely Linux-based and tailored for edge devices. The core malware families tracked by Cisco Talos include:
-
RushDrop, a dropper that initiates the infection chain
-
DriveSwitch, used to execute the primary implant
-
SilentRaid, the main backdoor that maintains persistent access
SilentRaid is modular, allowing operators to deploy capabilities such as remote shell access, file management and port forwarding based on operational needs.
Another implant, Bulbature, is used to transform compromised devices into relay infrastructure. Recent variants include a self-signed certificate that researchers identified on at least 141 hosts located in China or Hong Kong. Several of these systems have also been linked to other malware families commonly associated with China-nexus activity.
Cisco Talos said the campaign highlights the sustained focus on telecommunications networks in South Asia and underscores the strategic value of these environments to advanced threat actors.